diff --git a/docs/rpi-secure-boot.md b/docs/rpi-secure-boot.md index 2401e7441..cc5af4004 100644 --- a/docs/rpi-secure-boot.md +++ b/docs/rpi-secure-boot.md @@ -49,22 +49,20 @@ The partitions are mounted under `/mnt/boot` and `/mnt/rpi` respectively. ## Device locking -RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed `boot.img` file with the following `config.txt` settings: +RaspberryPi devices require post-installation setup to lock the device after the installer image completes programming. This locking process needs to write to OTP and requires a USB connection and the `rpiboot` utility loading a dedicated signed EEPROM image file with the following `config.txt` settings: * **revoke_devkey=1**: Prevents EEPROM downgrades to versions that don't support secure boot * **program_pubkey=1**: Programs the digest of the EEPROM's public key to OTP * **program_jtag_lock=1**: Disables the GPU JTAG interface * **eeprom_write_protect=1**: Sets the EEPROM to write protect -Finally, further OTP changes can be locked down to prevent mangling of OTP data. - ## EEPROM updates on locked devices Once a device is secure boot enabled and is locked down, `rpiboot` driven EEPROM updates will no longer work. Only EEPROM self-updates are possible. ## Re-programming of locked devices -Once a device is secure boot enabled and is locked down, `rpiboot` needs to use a dedicated signed `boot.img` to expose the encrypted internal storage and allow re-programming. +Once a device is secure boot enabled and is locked down, re-programming can be done by USB booting a signed flasher images. The use of `rpiboot` to expose internal storage is not supported. ## Debugging diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend index f12568d88..a869a6eef 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-bsp/bootfiles/rpi-config_git.bbappend @@ -40,6 +40,10 @@ do_deploy:append:revpi-connect-4() { echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt } +do_deploy:append:raspberrypicm4-ioboard-sb() { + echo "dtoverlay=dwc2,dr_mode=host" >> ${DEPLOYDIR}/bootfiles/config.txt +} + do_deploy:append:raspberrypi3-unipi-neuron() { # Use the dt overlays required by the UniPi Neuron family of boards echo "dtoverlay=neuronee" >> ${DEPLOYDIR}/bootfiles/config.txt diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt new file mode 100644 index 000000000..9ba850ef0 --- /dev/null +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/files/raspberrypicm4-ioboard-sb/default-config.txt @@ -0,0 +1,7 @@ +[all] +BOOT_UART=0 +WAKE_ON_GPIO=0 +POWER_OFF_ON_HALT=1 +FREEZE_VERSION=0 +HDMI_DELAY=0 +BOOT_ORDER=0xf2165 diff --git a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb index 18b9a6d18..128faa4ff 100644 --- a/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb +++ b/layers/meta-balena-raspberrypi/recipes-bsp/rpi-eeprom/rpi-eeprom_git.bb @@ -2,7 +2,7 @@ SUMMARY = "Installation scripts and binaries for the Raspberry Pi 4 EEPROM" DESCRIPTION = "This repository contains the rpi4 bootloader and scripts \ for updating it in the spi eeprom" LICENSE = "BSD-3-Clause & Broadcom-RPi" -LIC_FILES_CHKSUM = "file://LICENSE;md5=f546ed4f47e9d4c1fe954ecc9d3ef4f3" +LIC_FILES_CHKSUM = "file://LICENSE;md5=449418bd5e2b674b51a36c78f3f85a01" SRC_URI = " \ git://github.com/raspberrypi/rpi-eeprom.git;protocol=https;branch=master \ @@ -15,12 +15,12 @@ SRC_URI += " \ file://default-config.txt \ " -SRCREV = "3b393d31ac0f1864420d47028b5703a70ad8da8f" -PV = "v2023.10.18-2712" +SRCREV = "e430a41e7323a1e28fb42b53cf79e5ba9b5ee975" +PV = "v2024.06.05-2712" # We use the latest stable version # which is available in "stable" -LATEST_STABLE_PIEEPROM_FW:raspberrypi4-64 = "2023-05-11" +LATEST_STABLE_PIEEPROM_FW:raspberrypi4-64 = "2024-05-17" VL805_FW_REV = "000138a1" FIRMWARE:raspberrypi4-64 = "firmware-2711" @@ -117,6 +117,17 @@ do_deploy () { if [ -f "${S}/${FIRMWARE}/critical/vl805-${VL805_FW_REV}.bin" ]; then cp ${S}/${FIRMWARE}/critical/vl805-${VL805_FW_REV}.bin ${DEPLOY_DIR_IMAGE}/${PN}/vl805-latest-stable.bin fi + if [ "x${SIGN_API}" != "x" ]; then + install -d ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock + cp -avL ${S}/${FIRMWARE}/stable/recovery.bin ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/bootcode4.bin + echo "uart_2ndstage=1" > ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "eeprom_write_protect=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "program_pubkey=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "revoke_devkey=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + echo "program_jtag_lock=1" >> ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/config.txt + cp -av ${WORKDIR}/pieeprom-latest-stable*bin ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/pieeprom.bin + cp -av ${WORKDIR}/pieeprom-latest-stable*sig ${DEPLOY_DIR_IMAGE}/rpi-eeprom/secure-boot-lock/pieeprom.sig + fi } # vl805 utility is deprecated, see https://github.com/raspberrypi/rpi-eeprom/commit/fed1ca62a5752cb5a990608c8c897ce0b077600a diff --git a/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb b/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb index 0f39a16a6..d77074103 100644 --- a/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb +++ b/layers/meta-balena-raspberrypi/recipes-devtools/usbboot/usbboot-native_git.bb @@ -20,7 +20,7 @@ do_install(){ install -m 644 ${S}/msd/bootcode4.bin ${D} install -m 644 ${S}/msd/start.elf ${D} install -m 644 ${S}/msd/start4.elf ${D} - if [ "x${SIGN_API}" != "x" ]; then + if [ "x${SIGN_API}" != "x" ] && [ "${BALENA_SIGN_MSD}" = "1" ]; then install -d ${D}/secure-boot-msd/ if ! do_sign_rsa "${S}/secure-boot-msd/boot.img" "${D}/secure-boot-msd/boot.sig"; then bbfatal "Failed to sign boot image" diff --git a/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend new file mode 100644 index 000000000..7f8a17072 --- /dev/null +++ b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-balena-bootloader_%.bbappend @@ -0,0 +1,3 @@ +# Enable the dwc2 driver +BALENA_CONFIGS:append:raspberrypicm4-ioboard-sb = " dwc2" +BALENA_CONFIGS[dwc2] = "CONFIG_USB_DWC2=y" diff --git a/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend index 3a13faf44..402c6ac37 100644 --- a/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend +++ b/layers/meta-balena-raspberrypi/recipes-kernel/linux/linux-raspberrypi_%.bbappend @@ -46,3 +46,6 @@ BALENA_CONFIGS[pieeprom] = " \ CONFIG_SPI_BCM2835=y \ CONFIG_SPI_SPIDEV=y \ " + +BALENA_CONFIGS:append:raspberrypicm4-ioboard-sb = " dwc2" +BALENA_CONFIGS[dwc2] = "CONFIG_USB_DWC2=y"